Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34835: i2c: fix stack buffer overflow vulnerability in i2c md command (8f8c04bf) · Commits · U-Boot / U-Boot

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the “i2c md” command enables the corruption of the return address pointer of the do_i2c_md function.

CVE
#vulnerability#buffer_overflow#auth

Skip to content

Commit 8f8c04bf authored Jun 10, 2022 by Nicolas Iooss Committed by Tom Rini Jun 28, 2022

Browse files

i2c: fix stack buffer overflow vulnerability in i2c md command

When running "i2c md 0 0 80000100", the function do_i2c_md parses the length into an unsigned int variable named length. The value is then moved to a signed variable:

int nbytes = length;
#define DISP\_LINE\_LEN 16
int linebytes = (nbytes > DISP\_LINE\_LEN) ? DISP\_LINE\_LEN : nbytes;
ret = dm\_i2c\_read(dev, addr, linebuf, linebytes);

On systems where integers are 32 bits wide, 0x80000100 is a negative value to “nbytes > DISP_LINE_LEN” is false and linebytes gets assigned 0x80000100 instead of 16.

The consequence is that the function which reads from the i2c device (dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill but with a size parameter which is too large. In some cases, this could trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c (used with “nexell,s5pxx18-i2c” bus), the size is actually truncated to a 16-bit integer. This is because function i2c_transfer expects an unsigned short le…

  • Changes 1

@@ -200,10 +200,10 @@ void i2c_init_board(void)

*

* Returns the address length.

*/

static uint get_alen(char *arg, int default_len)

static uint get_alen(char *arg, uint default_len)

{

int j;

int alen;

uint j;

uint alen;

alen = default_len;

for (j = 0; j < 8; j++) {

@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc,

{

uint chip;

uint devaddr, length;

int alen;

uint alen;

u_char *memaddr;

int ret;

#if CONFIG_IS_ENABLED(DM_I2C)

@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc,

{

uint chip;

uint devaddr, length;

int alen;

uint alen;

u_char *memaddr;

int ret;

#if CONFIG_IS_ENABLED(DM_I2C)

@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc,

{

uint chip;

uint addr, length;

int alen;

int j, nbytes, linebytes;

uint alen;

uint j, nbytes, linebytes;

int ret;

#if CONFIG_IS_ENABLED(DM_I2C)

struct udevice *dev;

@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc,

{

uint chip;

ulong addr;

int alen;

uint alen;

uchar byte;

int count;

uint count;

int ret;

#if CONFIG_IS_ENABLED(DM_I2C)

struct udevice *dev;

@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc,

{

uint chip;

ulong addr;

int alen;

int count;

uint alen;

uint count;

uchar byte;

ulong crc;

ulong err;

@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc,

char *const argv[])

{

uint chip;

int alen;

uint alen;

uint addr;

uint length;

u_char bytes[16];

Related news

Ubuntu Security Notice USN-5764-1

Ubuntu Security Notice 5764-1 - It was discovered that U-Boot incorrectly handled certain USB DFU download setup packets. A local attacker could use this issue to cause U-Boot to crash, resulting in a denial of service, or possibly execute arbitrary code. Nicolas Bidron and Nicolas Guigo discovered that U-Boot incorrectly handled certain fragmented IP packets. A local attacker could use this issue to cause U-Boot to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

CVE-2022-38701: en/security-disclosure/2022/2022-09.md · OpenHarmony/security - Gitee.com

OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907